CBT IT Certification Training

Unlimited IT Certification Courses via Streaming Video

Login to this site requires ssl communication.
Click here to reload the page over ssl.

  • Lost your password?

  • Back to login
Loading
Login to this site requires ssl communication.
Click here to reload the page over ssl.

  • Lost your password?

  • Back to login
Loading
  • Home
  • Courses
        • Amazon
          • Solutions Architect
          • SysOps Associate
        • CompTIA
          • CASP+
          • Cloud Essentials
          • CySA+
          • Data+
          • Linux+
          • Network+
          • PenTest+
          • Project+
          • Security+
        • Juniper
          • JNCIA-Junos
          • JNCIA-SEC
          • JNCIS-ENT
          • JNCIS-SEC
        • Wireshark
          • WCNA
        • Career
          • How to Break into IT
          • IT Freelancing
          • Ace Your IT Exams
        • DevOps
          • DevOps Foundations
          • Docker Basics
        • Linux
          • CompTIA Linux+
          • Linux LPI Essentials
          • Linux LPIC-1
          • Linux LPIC-2
          • Linux LPIC-3 Security
          • Red Hat RHCSA
        • TCP-IP
          • IP Subnetting
          • IPv6 Associate
          • IPv6 Professional
          • IPv6 Expert
        • Python
          • PCEP
          • PCAP
        • Cisco
          • CCNA Primer
          • CCNA Exam Coaching
          • CCNA
          • CCNA CyberOps
          • DevNet Associate
          • CCNP – ENARSI
          • CCNP ENCOR Primer
          • CCNP – ENCOR
          • CCST – Networking
        • Google
          • Cloud Architect
        • Microsoft
          • Microsoft SQL Server
          • Windows 10
          • Windows Server 2016
          • Microsoft Security
          • Azure Fundamentals
          • Azure Administrator
          • Azure Developer
        • ITIL
          • ITIL Foundations
        • Coding Academy
          • PhP Fundamentals
          • MySQL Fundamentals
          • Web Development
          • Python For Beginners
        • EC Council
          • Certified Ethical Hacker
        • ISC2
          • SSCP
        • VMware
          • VCA Data Center
        • Wireless
          • CWNA
          • CWSP
  • Racks
    • GNS3 VM – Virtual Cisco Rack
    • Live Cisco Racks
  • Tour
  • Blog
  • Join
  • Join
  • Free IT Training
    • Free CCNA Study and Lab Guide
    • CCNA Security Study and Lab Guide
    • CompTIA Network+ Study Guide
    • CompTIA Security+ Study Guide
    • Network Design Workbook
    • Free IT Webinars
    • Free IT Exams
    • Free Labs
  • Meet the Trainers
  • Help
    • Helpdesk
    • FAQ
    • Contact Us
    • Privacy
    • Meet the Trainers
  • Products
    • IT Study Guides
  • Start $1 Trial
  • Login
  • Members
    • Account
    • Exam Coaching
    • Exams
    • Forum
    • Live Cisco Rack Training
    • Members Training
    • Member Bonuses
    • My Courses
    • Nuggets
  • Home
  • Courses
        • Amazon
          • Solutions Architect
          • SysOps Associate
        • CompTIA
          • CASP+
          • Cloud Essentials
          • CySA+
          • Data+
          • Linux+
          • Network+
          • PenTest+
          • Project+
          • Security+
        • Juniper
          • JNCIA-Junos
          • JNCIA-SEC
          • JNCIS-ENT
          • JNCIS-SEC
        • Wireshark
          • WCNA
        • Career
          • How to Break into IT
          • IT Freelancing
          • Ace Your IT Exams
        • DevOps
          • DevOps Foundations
          • Docker Basics
        • Linux
          • CompTIA Linux+
          • Linux LPI Essentials
          • Linux LPIC-1
          • Linux LPIC-2
          • Linux LPIC-3 Security
          • Red Hat RHCSA
        • TCP-IP
          • IP Subnetting
          • IPv6 Associate
          • IPv6 Professional
          • IPv6 Expert
        • Python
          • PCEP
          • PCAP
        • Cisco
          • CCNA Primer
          • CCNA Exam Coaching
          • CCNA
          • CCNA CyberOps
          • DevNet Associate
          • CCNP – ENARSI
          • CCNP ENCOR Primer
          • CCNP – ENCOR
          • CCST – Networking
        • Google
          • Cloud Architect
        • Microsoft
          • Microsoft SQL Server
          • Windows 10
          • Windows Server 2016
          • Microsoft Security
          • Azure Fundamentals
          • Azure Administrator
          • Azure Developer
        • ITIL
          • ITIL Foundations
        • Coding Academy
          • PhP Fundamentals
          • MySQL Fundamentals
          • Web Development
          • Python For Beginners
        • EC Council
          • Certified Ethical Hacker
        • ISC2
          • SSCP
        • VMware
          • VCA Data Center
        • Wireless
          • CWNA
          • CWSP
  • Racks
    • GNS3 VM – Virtual Cisco Rack
    • Live Cisco Racks
  • Tour
  • Blog
  • Join
  • Join
  • Free IT Training
    • Free CCNA Study and Lab Guide
    • CCNA Security Study and Lab Guide
    • CompTIA Network+ Study Guide
    • CompTIA Security+ Study Guide
    • Network Design Workbook
    • Free IT Webinars
    • Free IT Exams
    • Free Labs
  • Meet the Trainers
  • Help
    • Helpdesk
    • FAQ
    • Contact Us
    • Privacy
    • Meet the Trainers
  • Products
    • IT Study Guides
  • Start $1 Trial
  • Login
  • Members
    • Account
    • Exam Coaching
    • Exams
    • Forum
    • Live Cisco Rack Training
    • Members Training
    • Member Bonuses
    • My Courses
    • Nuggets

Securing Cisco IOS Routers

Securing Cisco IOS Routers

On most networks, routers are typically used as perimeter devices that connect internal networks to public networks, such as the Internet. For outside users, which include legitimate users and potential attackers, such deployments make routers the first point of entry into the network. It is therefore important to understand the methods available in Cisco IOS to protect routers and their related components. The IINS exam objectives covered in this chapter are as follows:

  • Secure administrative access to Cisco routers by setting strong encrypted passwords, exec timeout, and login failure rate and by using IOS login enhancements
  • Secure administrative access to Cisco routers by configuring multiple privilege levels
  • Secure administrative access to Cisco routers by configuring role-based CLI
  • Secure the Cisco IOS image and configuration file
  • Secure Cisco routers using the SDM Security Audit feature
  • Use the One-Step Lockdown feature in SDM to secure a Cisco router

Back to book index.

Contents hide
Securing Cisco IOS Routers
Securing Administrative Access to IOS Routers
Usernames, User Passwords, and Privilege Levels
Cisco IOS Login Block
Cisco IOS Role-based Command Line Interface
Securing Cisco IOS Router Files and Images
Cisco IOS AutoSecure
Simplified Router Security Configuration
Enhanced Password Security
Roll-back and System Logging Message Support
Securing the Management Plane
Securing the Forwarding Plane
Enabling and Using AutoSecure
The Cisco SDM Security Audit Feature
The Cisco SDM One-Step Lockdown Feature
Chapter Summary
Securing administrative access to IOS routers
Usernames, user passwords and privilege levels
Cisco IOS Login Block
Cisco IOS Role-based Command Line Interface
Securing Cisco IOS router files and images
Cisco IOS AutoSecure
The Cisco SDM Security Audit Feature
The Cisco SDM One-Step Lockdown Feature
Commands Used in this Chapter

Securing Administrative Access to IOS Routers

Because routers form an integral part of the network and security infrastructure, it is imperative that these devices are not overlooked in the overall security solution implementation. Cisco IOS devices provide several features that can be used to implement basic security for Command Line Interface (CLI) sessions.

The Cisco IOS CLI is divided into different command modes. Each command mode has its own set of commands available for the configuration, maintenance, and monitoring of router and network operations. The commands available to you at any given time depend on the mode you are in. Entering a question mark (?) at the system prompt, for a particular mode, allows you to obtain a list of commands available within that mode.

The standard order in which a user would access the modes would be user EXEC mode, privileged EXEC mode, global configuration mode, specific configuration modes, configuration submodes, and configuration sub-submodes. In order to gain access to router configuration mode, a user must first gain access to privileged EXEC mode by using the enable [privilege level] command in EXEC mode as illustrated in the following output:

R1>enable ?

  <0-15>  Enable level

view    Set into the existing view

<cr>

By default, the Cisco IOS software command-line interface (CLI) has two levels of access to commands: user EXEC mode (level 1) and privileged EXEC mode (level 15). However, you can configure additional levels of access to commands, called privilege levels, to meet the needs of your users while protecting the system from unauthorized access. Up to 16 privilege levels can be configured, from level 0, which is the most restricted level, to level 15, which is the least restricted level. Access to each privilege level is enabled through separate passwords, which you specify when configuring the privilege level.

In addition to configuring the privilege levels locally on the Cisco networking device, these command privileges can also be implemented using AAA with TACACS+ and RADIUS. For example, TACACS+ provides two ways to control the authorization of router commands on a per-user or per-group basis. The first way is to assign privilege levels to commands and have the router verify with the TACACS+ server whether the user is authorized at the specified privilege level. The second way is explicitly to specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.  AAA, TACACS+, and RADIUS are all described in detail in the next chapter.

If you do not include a specific privilege level at the end of the enable command, Cisco IOS automatically assumes access using a privilege level of 15; therefore, the Level 15 must be used, otherwise authentication will not succeed. The local password for different privilege levels can be set via the enable password level [level] [password], or, more preferably, the enable secret level [level] [password] command.

NOTE: It is important to remember that while the enable password command is a valid command, it uses a weak hashing algorithm and can be cracked with relative ease, and is therefore not recommended. In addition to this, by default, the password is stored in unencrypted form in the router configuration, unless the service password-encryption configuration command is used. This command should not be used if the enable secret command is available. It is retained in Cisco IOS software for the purposes of maintaining backward compatibility with older Cisco IOS software versions.

However, in recent Cisco IOS versions (i.e. Cisco IOS 12.3 and later), whenever the enable password level [level] [password] command is used, the router will automatically change this command to the enable secret level [level] [password] command, will automatically encrypt the password (using the MD5 hash algorithm), and will print the password in encrypted form without the need for any additional configuration, as illustrated in the following:

R1(config)#enable password level 1 cisco123

% Converting to a secret.  Please use “enable secret” in the future.

 

R1(config)#end

R1#

R1#show running-config | include enable

enable secret level 1 5 $1$g1uI$LOSsygicI1C02.8xCOnjO1

R1#

R1#

Referring back to the use of the enable secret command, the following example illustrates the steps required to configure an enable password for Level 15 access on a Cisco IOS device. The privilege level can then be validated by using the show privilege command:

R1(config)#enable secret level 15 security456

R1(config)#exit

R1#disable

R1>

R1>enable 15

Password:

R1#

R1#show privilege

Current privilege level is 15

R1#

The use of different enable passwords for different CLI privilege levels typically goes hand-in-hand with the restriction of command execution at  certain privilege levels via the privilege exec [all|level] [level] [command] command. It is important to keep in mind that before Cisco IOS Releases 12.0(22)S and 12.2(13)T, each command in a privilege level had to be specified with a separate privilege command. However, in Cisco IOS Releases 12.0(22)S, 12.2(13)T and later releases, a wildcard option, specified by the keyword all, was introduced. This keyword allows administrators to configure access to multiple commands with only one privilege command.

By using the all keyword, you can specify a privilege level for all commands that begin with the string you enter. In other words, the all keyword allows you to grant access to all command-line options and sub-options for a specified command. For example, if you wanted to create a privilege level to allow users to configure all dynamic routing protocols (i.e. via the use of the router command), the following configuration would be implemented on the router:

R1(config)#privilege exec all level 15 router

R1(config)#

The use of the wildcard all in the output illustrated above negates the need to have to configure a privilege command for all routing protocols, for example, privilege exec level 15 router ospf, privilege exec level 15 router eigrp, and privilege exec level 15 router rip, to set a privilege level of 15 for OSPF, EIGRP, and RIP configuration.

If the command specified in the privilege command used with the all keyword contains a configuration sub-mode, all commands in the sub-mode of that command will also be set to the specified privilege level. An example of sub-mode configuration would be the configuration of a sub-interface off a main router interface, such as an Ethernet or Frame Relay interface.

When privilege levels are used for commands, users must use the appropriate password (and level) in order to be allowed to execute restricted commands. For example, in the following configuration, all show commands are assigned a privilege level of 7, while all debug * commands are assigned a privilege level of 9.  These two levels are assigned two different passwords: security7 and security9, respectively.

R1(config)#privilege exec all level 7 show

R1(config)#privilege exec all level 9 debug

R1(config)#enable secret level 7 security7

R1(config)#enable secret level 9 security9

R1(config)#exit

R1#

Based on this configuration, the Level 7 password will enable the user to execute any show commands, as well as their options. However, no debug commands will be allowed. On the other hand, logging in with the Level 9 password automatically grants access to the Level 7 show commands (because they are of a lower privilege Level), as well as any debug commands and their options, as illustrated in the following output:

R1>enable 7

Password:

R1#

R1#show ip interface brief

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            172.16.1.1      YES NVRAM  up                    up

Serial0/0                  10.1.1.1        YES NVRAM  down                  down

R1#

R1#

R1#debug ip packet

^

% Invalid input detected at ‘^' marker.

 

R1#

R1#disable

R1>

R1>

R1>enable 9

Password:

R1#

R1#show ip interface brief

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            172.16.1.1      YES NVRAM  up                    up

Serial0/0                  10.1.1.1        YES NVRAM  down                  down

R1#

R1#debug ip packet

IP packet debugging is on

R1#

Although the privilege command is typically used to restrict access to the Cisco IOS EXEC, it is important to know that it can also be used to restrict access to configuration commands as well. The same configuration logic is applicable to the restriction of configuration commands, as that which applies to EXEC commands.  For example, to allow a user with a privilege level of 7 to access configuration mode, but restrict them to only routing protocol configuration, the following configuration would be implemented on the router:

R1(config)#enable secret level 7 mypassword

R1(config)#privilege exec level 7 configure terminal

R1(config)#privilege configure all level 7 router

R1(config)#line vty 0 4

R1(config-line)#login local

R1(config-line)#exit

R1(config)#exit

R1#

This configuration can then be tested by accessing the router and logging in using the Level 7 secret, as illustrated in the following output:

R1>enable 7

Password:

R1#

R1#show privilege

Current privilege level is 7

R1#

R1#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#router ospf 1

R1(config-router)#exit

R1(config)#ip route 10.0.0.0 255.255.255.0 fastethernet0/0

^

% Invalid input detected at ‘^' marker.

 

R1(config)#hostname r1

^

% Invalid input detected at ‘^' marker.

 

As illustrated in the output above, the Level 7 user is able to log in to the router and is immediately put into privileged mode, which allows the user to enter the configure terminal command that has been manually configured as a level 7 command. Additionally, the user is successfully able to enable OSPF routing on R1, using a process ID of 1 because all configuration commands that begin with router are permitted for users with a privilege Level of 7.

However, as can also be seen, the user is unable to configure a static route, or even change the hostname of the router, because these commands still default to Level 15 access, which is the default privilege level for all configuration commands in Cisco IOS software, and are therefore unavailable to or invalid for a Level 7 user.

While using the enable secret and privilege exec commands provide security for local CLI access, consideration must also be given to remote CLI access.  Remote CLI sessions are created between a host (e.g. a PC) and a networking device (e.g. a router) over a network using a remote terminal access application, such as Telnet and Secure Shell (SSH). Local CLI sessions start in user EXEC mode. It is important to remember that terminal lines, such as the Console and VTY lines, can be used for both local and remote CLI sessions.

These lines can be secured using passwords, which is performed via the use of the password command. Unlike the password used to enter EXEC mode, all passwords specified on terminal lines are Level 1 passwords, and this cannot be changed. This means that once the password has been entered, the user is placed into EXEC mode and must use the enable command and specify the correct password to gain access to privileged EXEC mode. The configuration for both the Console and VTY lines is similar and is performed as follows:

R1(config)#line con 0

R1(config-line)#password security

R1(config-line)#exit

R1(config)#line vty 0 4

R1(config-line)#password security

R1(config-line)#exit

R1(config)#exit

R1#

When configuring terminal-line passwords, these passwords are treated in the privileged EXEC password configured using the enable password command and are not encrypted by default. This means that these passwords are viewable in plain text in the running configuration of a router, as illustrated in the following output:

R1#show running-config | begin line

line con 0

password security

line aux 0

line vty 0 4

 password security

login

!

!

end

In order to change this default behaviour, the router must be configured with the service password-encryption global configuration command, as follows:

R1#config t

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#service password-encryption

R1(config)#exit

R1#show running-config | begin line

line con 0

password 7 111A1C06020002181D

line aux 0

line vty 0 4

 password 7 03175E08131D285857

login

!

!

end

Even though the passwords are now encrypted, it is important to remember that the encryption algorithm used is the same as that used for the enable password command and is very weak.

In addition to simply setting passwords, the exec-timeout command can also be used for remote CLI sessions inbound on terminal lines. This command is used to set the interval that the EXEC command interpreter waits until user input is detected.

By default, this value is ten minutes, which means that if a user is connected via the Console, for example, the EXEC process will remain idle for up to ten minutes before the user must log in again. Naturally, this is a relatively excessive amount of time; therefore, it is recommended that this value be lowered to enhance security to the device, as illustrated in the following example where the EXEC process timeout is reduced to one and a half minutes for VTY 0:

R1(config)#line vty 0

R1(config-line)#exec-timeout 1 30

R1(config-line)#exit

R1(config)#exit

R1#

R1#

R1#show line vty 0

Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int

66 VTY              –    –      –    –    –      0       0     0/0       –

 

Line 66, Location: “”, Type: “”

Length: 24 lines, Width: 80 columns

Baud rate (TX/RX) is 9600/9600

Status: No Exit Banner

Capabilities: none

Modem state: Idle

Special Chars: Escape  Hold  Stop  Start  Disconnect  Activation

^^x    none   –     –       none

Timeouts:      Idle EXEC    Idle Session   Modem Answer  Session   Dispatch

00:01:30        never                        none     not set

Idle Session Disconnect Warning

never

Login-sequence User Response

00:00:30

Autoselect Initial Wait

not set

Modem type is unknown.

Session limit is not set.

Time since activation: never

Editing is enabled.

History is enabled, history size is 20.

DNS resolution in show commands is enabled

Full user help is disabled

Allowed input transports are pad telnet rlogin mop v120 ssh.

Allowed output transports are pad telnet rlogin mop v120 ssh.

Preferred transport is telnet.

No output characters are padded

No special data dispatching characters

In the same manner that user workstations can and should be locked if active programs are running, the terminal lines in Cisco IOS routers can also be locked by using the lockable line configuration command. This command requires a valid password to lock and unlock the terminal line and provides an additional layer of security, as follows:

R1(config)#line vty 0 4

R1(config-line)#lockable

R1(config-line)#exit

R1(config)#exit

R1#

R1#lock

Password:

Again:

 

 

Locked

 

 

 

 

 

 

Password:

R1#

R1#show line vty 0

Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int

66 VTY              –    –      –    –    –      0       0     0/0       –

 

Line 66, Location: “”, Type: “”

Length: 24 lines, Width: 80 columns

Baud rate (TX/RX) is 9600/9600

Status: No Exit Banner

Capabilities: Lockable

Modem state: Idle

Special Chars: Escape  Hold  Stop  Start  Disconnect  Activation

^^x    none   –     –       none

Timeouts:      Idle EXEC    Idle Session   Modem Answer  Session   Dispatch

never         never                        none     not set

Idle Session Disconnect Warning

never

Login-sequence User Response

00:00:30

Autoselect Initial Wait

not set

Modem type is unknown.

Session limit is not set.

Time since activation: never

Editing is enabled.

History is enabled, history size is 20.

DNS resolution in show commands is enabled

Full user help is disabled

Allowed input transports are pad telnet rlogin mop v120 ssh.

Allowed output transports are pad telnet rlogin mop v120 ssh.

Preferred transport is telnet.

No output characters are padded

No special data dispatching characters

In addition to setting different passwords for different privilege levels, Cisco IOS software also provides additional commands that can be used (and should be used) to further secure the router. These commands are the security passwords min-length <length> and the security authentication failure rate <threshold-rate> log commands.

The security passwords min-length <length> command is a global command that sets the minimum password length for user, enable, and terminal line passwords. This command is used to specify the minimum length of a configured password, which is six characters by default. As stated in Chapter 1, it is good practice to ensure that all passwords are no less than eight characters and contain letters, numbers, and symbols.

This best practice rule can be put into practice on Cisco IOS routers via the use of this command. For example, if this command is used to specify that passwords must be no less than ten characters in length and the user attempts to create a password shorter than that, the following error message will be received:

R1(config)#security passwords min-length 10

R1(config)#enable secret ccnapass

% Password too short – must be at least 10 characters. Password configuration failed

R1(config)#

The security authentication failure rate <threshold-rate> log command is used to configure the number of allowable unsuccessful login attempts, which is ten by default. This default value should generally be shortened to ensure that no one has up to ten attempts to crack the router password. For example, setting a threshold of two or three is generally good practice.

When the threshold is exceeded (before a 15-second delay) this command generates a log message indicating the failure, thus quickly allowing administrators to be aware of any possible attempts to gain unauthorized access into the router without the correct credentials, which could very well be a type of password attack, for example.

When using the security authentication failure rate <threshold-rate> log command, it is important to remember that logging must be enabled on the router, either locally or to a remote Syslog server. Syslog is a standard for forwarding log messages across an IP network to a remote server running a Syslog daemon. These log messages are sent via UDP, using a destination port of 514. Syslog is explained in detail later in this guide.

For example, to specify that a log message must be generated and sent to Syslog server 192.168.1.254, in the event of two unsuccessful attempts to access the router before a 15-second delay, the following configuration would be implemented:

R1(config)#logging on

R1(config)#logging host 192.168.1.254

R1(config)#security authentication failure rate 2 log

R1(config)#exit

R1#

Usernames, User Passwords, and Privilege Levels

In Cisco IOS software, in addition to configuring passwords and setting different privilege levels for commands, administrators also have the capability to create local user accounts, assign those accounts specific privilege levels, which can be used in conjunction with the command restrictions configured using the privilege command, and create passwords for those users. Cisco IOS devices can then be configured so that local and remote sessions to the router are granted access based on configured username and password pairs.

Although the use of the username command is introduced and explained in the CCNA course, it is important to remember that before Cisco IOS Releases 12.0(18)S and 12.2(8)T, there were two types of passwords that were associated with usernames: Type 0, a clear text password visible to any user who has access to privileged mode on the router; and Type 7, a password encrypted by the service password-encryption command.

However, in Cisco IOS Releases 12.0(18)S, 12.2(8)T, and later releases, the new secret keyword for the username command allows you to configure Message Digest 5 (MD5) encryption for user passwords. This is the same encryption algorithm used by the enable secret command. This provides greater security than the algorithm used by the enable password command, which was also used to generate the password hash for user accounts in older IOS versions.

Configuring usernames, their passwords, and privileges in Cisco IOS software is a straightforward task that is performed using the username [name] privilege [level] secret [password] global configuration command. In order to allow terminal lines to authenticate users based on configured usernames, the login local configuration command is required under the terminal lines (i.e. under line con 0, for example).

The following example illustrates how three usernames are configured on a Cisco IOS router. The first user (BASIC) is assigned a privilege level of 1; the second user (INTERMEDIATE) is assigned a privilege level of 7; and the final user (EXPERT) is assigned a privilege level of 15:

R2(config)#username BASIC privilege 1 secret basic

R2(config)#username INTERMEDIATE privilege 7 secret intermediate

R2(config)#username EXPERT privilege 15 secret expert

R2(config)#exit

R2#

R2#show running-config | include username

username BASIC secret 5 $1$49Tu$Wi3WXbLGNOM1pl2MEgiig0

username INTERMEDIATE privilege 7 secret 5 $1$jjnj$tpZzs1l7RpxRwAmN1eLSR/

username EXPERT privilege 15 secret 5 $1$giSy$qLsRy0r4Kfpi427CeiiT61

In addition to the configured usernames, administrators can also use the privilege command to set restrictions on the commands the users can enter. For example, to restrict the user BASIC (Level 1) to only the ping and traceroute commands, and the user INTERMEDIATE (Level 7) to all show commands, the following configuration would be implemented on the router:

R2(config)#privilege exec all level 1 ping

R2(config)#privilege exec all level 1 traceroute

R2(config)#privilege exec all level 7 show

R2(config)#exit

R2#

User Access Verification

 

Username: BASIC

Password:

R2>show version

^

% Invalid input detected at ‘^' marker.

 

R2>ping 172.16.1.2

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R2>exit

 

 

User Access Verification

 

Username: INTERMEDIATE

Password:

R2#

R2#show ip interface brief

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            172.16.1.2      YES NVRAM  up                    up

Serial0/0                  10.1.1.2        YES NVRAM  up                    up

R2#debug ip packet

^

% Invalid input detected at ‘^' marker.

 

R2#

In addition to setting privilege levels, the username [name] secret [password] autocommand [command] command can also be used to further restrict users by immediately executing a specified command for a particular user and then logging the user off automatically. When using the autocommand feature, it is important to remember that the user must have the appropriate privilege level in order to execute the command specified in the command string; otherwise, this feature will simply not work. For example, to configure a router to automatically execute the show ip interface brief command for a user (AUTO) and then automatically log the user off, the following configuration would be implemented on the router:

R2(config)#username AUTO secret autosecret

R2(config)#username AUTO autocommand show ip interface brief

R2(config)#exit

R2#

In the configuration illustrated above, it is important to remember that, by default, all show commands are available for Level 1 users. Therefore, the privilege command does not need to be used and the user’s privilege level can also remain the same. The autocommand feature can then be validated by logging in as AUTO. The router simply prints the specified output and automatically terminates the session, as illustrated in the following output:

R2>login

Username: AUTO

Password:

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            172.16.1.2      YES NVRAM  up                    up

Serial0/0                  10.1.1.2        YES NVRAM  up                    up

 

 

R2 con0 is now available

 

Press RETURN to get started.

 

Cisco IOS Login Block

The Cisco IOS Login Block feature, which is a part of the Cisco IOS Login Enhancements feature set, allows administrators to enhance the security of a router by configuring options to automatically block further login attempts when a possible DoS or password attack is detected.

By enabling the Cisco IOS Login Block feature, DoS attacks, such as TCP SYN floods or SSH Process Table attacks, that can be used to prevent legitimate administrators from logging in to the device, or that floods the device so that it ceases to route or forward packets as expected, can be mitigated. Additionally, this feature can also be used to slow down dictionary attacks. The prevention of these types of attacks is performed by enforcing a quiet period during which the router will not accept any incoming connection requests if multiple failed connection attempts to the router are detected, which effectively protects the router from an attack.

The login block and login delay options introduced by this feature can be configured for Telnet, SSH, or HTTP connections. This feature provides enhanced security over the security authentication failure rate <threshold-rate> log functionality, which can only send a log message in the event of unsuccessful login attempts within a specified interval, but does not automatically ‘lock down’ the router to prevent any further login attempts.

It is important to keep in mind, however, that even though the router denies connection requests during the quiet period, it is possible to use an ACL (with the addresses that you know to be associated with system administrators) to allow connections only from those addresses. This ensures that administrators have the ability to manage devices during the quiet period.

In order to implement successfully the Cisco IOS Login Block feature, it is important to have a solid understanding of the new CLI options available to enable this feature correctly. The commands associated with this feature are as follows:

  • The login block-for [seconds] attempts [tries] within [seconds] command
  • The login quiet-mode access-class [ACL] command
  • The login delay [seconds] command
  • The login on-failure log every [number] command
  • The login on-success log every [number] command

The login block-for [seconds] attempts [tries] within [seconds] command is the very first command that must be issued before any other login command can be used! This command is used to configure the router for login parameters and specifies the amount of time the router should remain in the quiet period if the administrator-specified number of failed attempts is exceeded within the specific period of time.

For example, to configure the router to enter quiet mode for five minutes if three unsuccessful login attempts are received within two minutes, the following configuration would be implemented:

R1(config)#login block-for 300 attempts 3 within 120

R1(config)#exit

R1#

R1#show login

A default login delay of 1 seconds is applied.

No Quiet-Mode access list has been configured.

 

Router enabled to watch for login Attacks.

If more than 3 login failures occur in 120 seconds or less,

     logins will be disabled for 300 seconds.

 

Router presently in Normal-Mode.

Current Watch Window

Time remaining: 107 seconds.

Login failures for current window: 0.

Total login failures: 0.

The login quiet-mode access-class [ACL] command specifies an ACL (named or numbered) that is to be applied to the router when it switches to quiet mode to allow access to the subnets or addresses specified in the ACL. Even though this is an optional command, it is important to keep in mind that if this command is not enabled then all login requests, legitimate and otherwise, will be denied during quiet mode.

Therefore, it is good practice to ensure that an ACL is configured and this command is used so administrators still have access to the device during the quiet period. For example, to configure the router to allow administrators from the 172.16.1.0/24 subnet access to the router during the quiet period, the following configuration would be implemented:

R1(config)#login quiet-mode access-class 100

R1(config)#access-list 100 permit ip 172.16.1.0 0.0.0.255 any

R1(config)#exit

R1#

R1#show login

A default login delay of 1 seconds is applied.

Quiet-Mode access list 100 is applied.

 

Router enabled to watch for login Attacks.

If more than 3 login failures occur in 120 seconds or less,

logins will be disabled for 300 seconds.

 

Router presently in Normal-Mode.

Current Watch Window

Time remaining: 15 seconds.

Login failures for current window: 0.

Total login failures: 0.

The login delay [seconds] command is used to configure a delay between successive login attempts. This is an optional command because, by default, the router uses a default login delay of one second, as illustrated in the output of the show login command:

R1#show login

A default login delay of 1 seconds is applied.

Quiet-Mode access list 100 is applied.

 

Router enabled to watch for login Attacks.

If more than 3 login failures occur in 120 seconds or less,

logins will be disabled for 300 seconds.

 

Router presently in Normal-Mode.

Current Watch Window

Time remaining: 113 seconds.

Login failures for current window: 0.

Total login failures: 0.

This command can be used to change this value to any other value that the administrator so desires. For example, to change the delay interval between successive login attempts to five seconds, the following configuration would be implemented on the router:

R1(config)#login delay 5

R1(config)#end

R1#

R1#show login

A login delay of 5 seconds is applied.

Quiet-Mode access list 100 is applied.

 

Router enabled to watch for login Attacks.

If more than 3 login failures occur in 120 seconds or less,

logins will be disabled for 300 seconds.

 

Router presently in Normal-Mode.

Current Watch Window

Time remaining: 27 seconds.

Login failures for current window: 0.

Total login failures: 0.

The login on-failure log every [number] command is used to generate Syslog messages for failed login attempts. The [number] option generates a log message for the specified number of failed login attempts. When this optional command is configured, it is important to enable logging capabilities on the router, using either the local buffer or a remote Syslog server.

For example, to configure a router to generate a Syslog message for every two (2) failed login attempts, to both the local buffer and a remote Syslog server with the IP address 172.16.1.254, the router would be configured as follows:

R1(config)#login on-failure log every 2

R1(config)#logging on

R1(config)#logging buffered informational

R1(config)#logging trap informational

R1(config)#logging host 172.16.1.254

R1(config)#exit

R1#

R1#show login

A login delay of 5 seconds is applied.

Quiet-Mode access list 100 is applied.

Every 2 failed login is logged.

 

Router enabled to watch for login Attacks.

If more than 3 login failures occur in 120 seconds or less,

logins will be disabled for 300 seconds.

 

Router presently in Normal-Mode.

Current Watch Window

Time remaining: 91 seconds.

Login failures for current window: 0.

Total login failures: 0.

The login on-success log every [number] command performs the same functions as the login on-failure log every [number] command, with the exception that it provides logging for successful login attempts.

For example, to configure a router to generate a Syslog message for every successful login attempt, to both the local buffer and a remote Syslog server with the IP address 172.16.1.254, the router would be configured as follows:

R1(config)#login on-success log every 1

R1(config)#logging on

R1(config)#logging buffered informational

R1(config)#logging trap informational

R1(config)#logging host 172.16.1.254

R1#

R1#show login

A login delay of 5 seconds is applied.

Quiet-Mode access list 100 is applied.

All successful login is logged.

Every 2 failed login is logged.

 

Router enabled to watch for login Attacks.

If more than 3 login failures occur in 120 seconds or less,

logins will be disabled for 300 seconds.

 

Router presently in Normal-Mode.

Current Watch Window

Time remaining: 72 seconds.

Login failures for current window: 0.

Total login failures: 0.

To validate Login Block configuration and parameters, the show login command – which has already been illustrated above – is used. This command can also be used with the failures keyword, which is used to display information related only to failed login attempts, as follows.

R1#show login ?

failures  Display Login failures in the current watch period

|         Output modifiers

<cr>

 

R1#show login failures

*** No logged failed login attempts with the device.***

It is important to remember that logging information should also be contained in the local router buffer (log). The show logging command can be used to view any information pertaining to the Cisco IOS Login Block feature (depending on feature configuration) as follows:

R1#show logging

Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,

0 flushes, 0 overruns, xml disabled, filtering disabled)

 

No Active Message Discriminator.

 

 

 

No Inactive Message Discriminator.

 

 

Console logging: disabled

Monitor logging: level debugging, 0 messages logged, xml disabled,

filtering disabled

Buffer logging:  level informational, 8 messages logged, xml disabled,

filtering disabled

Logging Exception size (4096 bytes)

Count and timestamp logging messages: disabled

Persistent logging: disabled

Trap logging: level informational, 37 message lines logged

        Logging to 172.16.1.254  (udp port 514,  audit disabled,

authentication disabled, encryption disabled, link up),

10 message lines logged,

0 message lines rate-limited,

0 message lines dropped-by-MD,

xml disabled, sequence number disabled

filtering disabled

 

Log Buffer (4096 bytes):

 

*Mar  1 01:32:37.456: %SYS-5-CONFIG_I: Configured from console by console

*Mar  1 01:33:52.515: %SYS-5-CONFIG_I: Configured from console by console

*Mar  1 01:34:11.863: %SYS-5-CONFIG_I: Configured from console by console

*Mar  1 01:36:36.127: %SYS-5-CONFIG_I: Configured from console by console

*Mar  1 01:36:52.318: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: cisco] [Source: 0.0.0.0] [localport: 0] at 01:36:52 UTC Fri Mar 1 2002

*Mar  1 01:37:32.031: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: cisco] [Source: 0.0.0.0] [localport: 0] at 01:37:32 UTC Fri Mar 1 2002

Cisco IOS Role-based Command Line Interface

The Cisco IOS role-based CLI access feature allows an administrator to define views, which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands.

Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information. In other words, a view can define what commands are accepted and what configuration information is visible. The role-based CLI access feature provides greater administrative control of commands than the use of the username and the privilege commands to accomplish the same goal.

Therefore, if the router platform you are working on supports CLI views, this is the recommended method to ensure detailed access control capability for administrators, which improves the overall security and accountability of Cisco IOS software.

In order to configure the role-based CLI access feature, two prerequisites must be met. The first prerequisite is that AAA (Authentication, Authorization, and Accounting – which will be described in detail later in this guide) must be enabled in order to use the role-based CLI access feature. This is performed by using the aaa new-model global configuration command, as illustrated in the following output:

R2#config t

Enter configuration commands, one per line.  End with CNTL/Z.

R2(config)#aaa new-model

R2(config)#exit

R2#

The second prerequisite is that the system must be in root view. Root view is a special view mode that has all of the access privileges as a user who has Level 15 privileges in Cisco IOS software.  However, the difference between a user who has Level 15 privileges and a root view user is that a root view user can configure a new view and add or remove commands from the view. It is also important to remember that while users assigned a certain privilege level have access to all commands at and below that privilege level (e.g. a user with a privilege level of 10 has access to all commands assigned privilege levels 1–10), users in CLI views are restricted only to the commands available in that view.

In addition to this, when users are in a CLI view, they will only have access to the commands that have been added to that view by the root view user. Enabling the root view is accomplished by using the enable view EXEC command and entering the Level 15 secret command if prompted, as illustrated in the following output:

R2#disable

R2>

R2>enable view

Password:

 

R2#show privilege

Currently in View Context with view ‘root'

Once these two prerequisites have been met, administrators can begin to configure views using the parser view [name] global configuration command. This command allows you to create the name of a parser view to be used. Once the name is created, the router then goes into view configuration mode, which allows the router to specify a password for the configured view, as well as the commands that are available within that view.

The password for a particular view is set by using the secret command within view configuration mode. It is important to remember that you must associate a password with a view. If you do not associate a password, and you attempt to add commands to the view, a system message such as the following will be displayed:

%Password not set for view BASIC

Commands are added to views via the commands [mode] (include | include-exclusive | exclude) [all] [interface (name) | command] command. In order to understand the correct use of this command, it is important to understand the options presented and what they mean. These options are described in the following table:

Table 2.1. IOS Command Options

Option Description
mode This option is used to specify the router mode in which the command that will be specified exists. For example, the show command would exist in EXEC mode, while the router command would exist in CONFIGURE mode.
include This option adds a command or an interface to the view and allows the same command or interface to be added to another view.
include-exclusive This option adds a command or an interface to the view and excludes the same command or interface from being added to all other views.
exclude This option excludes a command or an interface from the view. In other words, users cannot access a command or an interface excluded by this option for the particular view they are in.
all This option is a wildcard that allows every command in a specified configuration mode that begins with the same keyword or every subinterface for a specified interface to be part of the view. In essence, this performs the same function as the all keyword in the privilege command that we learned about earlier.
interface (name) This option is used to specify the interface that is added to the view.
command This option is used to specify the command that is added to the view.

To reinforce the configuration of views, we will go through the required steps using a practical example, as follows, where four (4) different views will be created: Level-1, Level-2, Level-3, and Level-4. The Level-1 view will be restricted to only ping and traceroute commands; the Level-2 view will be restricted to only show commands; the Level-3 view will be restricted to only static and dynamic routing configuration commands, as well as all interface configuration commands; and, finally, the Level-4 view will be restricted to only debug and undebug commands. In addition to this, the include-exclusive option is used in all configured view configuration to ensure that commands are restricted only to those views, as illustrated in the following output:

R2(config)#parser view Level-1

R2(config-view)#secret level1

R2(config-view)#commands exec include-exclusive all ping

R2(config-view)#commands exec include-exclusive all traceroute

R2(config-view)#exit

R2(config)#parser view Level-2

R2(config-view)#secret level2

R2(config-view)#commands exec include-exclusive all show

R2(config-view)#exit

R2(config)#parser view Level-3

R2(config-view)#secret level3

R2(config-view)#commands exec include-exclusive all configure

R2(config-view)#commands configure include-exclusive all router

R2(config-view)#commands configure include-exclusive all ip route

R2(config-view)#commands configure include-exclusive all interface

R2(config-view)#exit

R2(config)#parser view Level-4

R2(config-view)#secret level4

R2(config-view)#commands exec include-exclusive all debug

R2(config-view)#commands exec include-exclusive all undebug

R2(config-view)#exit

R2(config)#exit

R2#

The view configuration can be validated by the administrator via the use of the enable view [name] command and by entering the correct password for the specified view. Once successfully logged in to a particular view, the question mark can be used to view the commands available within that view, as illustrated in the following output for the Level-1 and Level-4 views:

R2>enable view Level-1

Password:

 

R2#?

Exec commands:

enable      Turn on privileged commands

exit        Exit from the EXEC

ping        Send echo messages

show        Show running system information

traceroute  Trace route to destination

 

R2#show ?

parser  Show parser commands

 

R2#show parser view

Current view is ‘Level-1'

 

R2#show ip interface brief

^

% Invalid input detected at ‘^' marker.

 

R2#ping 172.16.1.2

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R2#exit

 

 

Press RETURN to get started.

 

R2>

R2>

R2>enable view Level-4

Password:

 

R2#?

Exec commands:

debug    Debugging functions (see also ‘undebug')

enable   Turn on privileged commands

exit     Exit from the EXEC

show     Show running system information

undebug  Disable debugging functions (see also ‘debug')

 

R2#show parser view

Current view is ‘Level-4'

R2#

R2#show ip interface brief

^

% Invalid input detected at ‘^' marker.

 

R2#debug ip packet

IP packet debugging is on

R2#

R2#undebug all

All possible debugging has been turned off

In addition to creating standard views, it is also possible to create a superview. A superview consists of one or more already configured CLI views, which allow users to define what commands are accepted and what configuration information is visible. Superviews easily allow a network administrator to assign all users within configured CLI views to a superview instead of having to assign multiple CLI views to a group of users. Superviews contain the following characteristics:

  • A CLI view can be shared among multiple superviews. In other words, standard CLI views can belong to more than one superview.
  • Commands cannot be configured for a superview. Therefore, administrators must add commands to a CLI view and add that CLI view to the superview.
  • Users who are logged in to a superview can access all of the commands that are configured for any of the CLI views that are part of the superview.
  • Each superview has a password that is used to switch between superviews or from a CLI view to a superview.
  • Deleting a superview will not also delete all CLI views associated with that superview. In order words, deleting a superview does not delete the standard views that are associated with that superview. If CLI views need to be deleted, the administrator must manually delete them while logged in to the root view.

When configuring superviews, the secret command is used to configure the password for the superview, in the same manner as in standard views. However, unlike standard CLI views, there is no commands option in superviews. The only command available is the view command, which allows administrators to add standard CLI views to the superview.

Adding to the view configuration performed earlier, the following configuration creates three (3) superviews. The first superview (LEVEL-1-2) will include all commands available from the Level-1 and Level-2 standard CLI views, which were previously configured. The second superview (LEVEL-3-4) will include all commands available from the Level-3 and Level-4 standard CLI views, which were also previously configured. And, finally, the third superview (LEVEL-ALL) will contain commands available in all four standard views:

R2>enable view

Password:

 

R2#config t

Enter configuration commands, one per line.  End with CNTL/Z.

R2(config)#parser view LEVEL-1-2 superview

R2(config-view)#?

View commands:

default  Set a command to its defaults

exit     Exit from view configuration mode

no       Negate a command or set its defaults

secret   Set a secret for the current view

view     View to be added to SuperView

 

R2(config-view)#secret level12

R2(config-view)#view Level-1

R2(config-view)#view Level-2

R2(config-view)#exit

R2(config)#parser view LEVEL-3-4 superview

R2(config-view)#secret level34

R2(config-view)#view Level-3

R2(config-view)#view Level-4

R2(config-view)#exit

R2(config)#parser view LEVEL-ALL superview

R2(config-view)#secret levelall

R2(config-view)#view Level-1

R2(config-view)#view Level-2

R2(config-view)#view Level-3

R2(config-view)#view Level-4

R2(config-view)#exit

R2(config)#exit

R2#

R2#show parser view

Current view is ‘root'

R2#

R2#show parser view all

Views/SuperViews Present in System:

Level-1

Level-2

Level-3

Level-4

LEVEL-1-2 *

LEVEL-3-4 *

LEVEL-ALL *

——-(*) represent superview——-

As is the case with standard CLI views, the enable view [name] command followed by the password is used to log in to superviews. Again, a question mark can be used to validate the command options available to that particular view, as illustrated in the following output:

R2 con0 is now available

 

 

Press RETURN to get started.

 

 

R2>enable view LEVEL-1-2

Password:

 

R2#?

Exec commands:

enable      Turn on privileged commands

exit        Exit from the EXEC

ping        Send echo messages

  show        Show running system information

traceroute  Trace route to destination

R2#

R2#exit

 

R2 con0 is now available

 

 

Press RETURN to get started.

 

R2>

R2>enable view LEVEL-3-4

Password:

 

R2#?

Exec commands:

configure  Enter configuration mode

  debug      Debugging functions (see also ‘undebug')

enable     Turn on privileged commands

exit       Exit from the EXEC

show       Show running system information

undebug    Disable debugging functions (see also ‘debug')

R2#

R2#exit

 

R2 con0 is now available

 

Press RETURN to get started.

R2>

R2>

R2>

R2>enable view LEVEL-ALL

Password:

 

R2#?

Exec commands:

configure   Enter configuration mode

debug       Debugging functions (see also ‘undebug')

enable      Turn on privileged commands

exit        Exit from the EXEC

ping        Send echo messages

  show        Show running system information

  traceroute  Trace route to destination

  undebug     Disable debugging functions (see also ‘debug')

Securing Cisco IOS Router Files and Images

The Cisco IOS resilient configuration feature, available in Cisco IOS 12.2SX and 12.4, enables a router to secure and maintain a working copy of the running image and configuration so that those files can withstand malicious attempts to erase the contents of persistent storage, which include NVRAM and flash memory.

This feature is intended to speed up the recovery process in the event that a router has been compromised and its operating software and configuration data have been erased from its persistent storage. This is possible because the Cisco IOS resilient configuration feature maintains a secure working copy of the router image and the startup configuration (NVRAM) at all times and the user cannot remove these secure files. This set of image and router running configuration is referred to as the primary bootset. The resilient configuration feature has the following characteristics:

  • The copy of the running configuration that was in the router when the feature was first enabled is used as the configuration file in the primary bootset.
  • The feature secures the smallest working set of files to preserve persistent storage space. No extra space is required to secure the primary Cisco IOS image file.
  • The feature automatically detects Cisco IOS image or configuration version mismatch.
  • Only local storage (i.e. on the router itself) is used for securing files, eliminating scalability maintenance challenges from storing multiple images and configurations on TFTP servers.
  • The feature can be disabled only through a console session, which means that the administrator must have physical access to the router to perform this, enhancing security.

The Cisco IOS resilient configuration feature is very straightforward to implement. In order to save a primary bootset to a secure archive in persistent storage, only two configuration commands are required. The first configuration command, the secure boot-image command, is used to enable Cisco IOS image resilience. The second configuration command, the secure boot-config command, is used to store a secure copy of the primary bootset in persistent storage.

Although the IOS resilient configuration feature provides enhanced security for Cisco IOS routers, it is important to understand that it has several restrictions. The first major restriction is that this feature is available only on platforms that support a Personal Computer Memory Card International Association (PCMCIA) Advanced Technology Attachment (ATA) disk. In addition to this, even on these devices, there must be enough space on the storage device to accommodate at least one Cisco IOS image (two for upgrades) and a copy of the running configuration, and it is required that IOS Files System (IFS) support for secure file systems is also supported by the software. This reduces the platforms that this feature can be implemented on.

Another restriction is that it may be possible to force removal of secured files using an older version of Cisco IOS software that does not contain file system support for hidden files. In other words, booting up the router using an older image that does not support the IOS resilient configuration feature effectively negates the security afforded by this feature.

In addition, as previously mentioned, you cannot secure a bootset with an image loaded from the network – i.e. from a TFTP or FTP server residing on the network. The running image must be loaded from persistent storage to be secured as primary.

Finally, it is important to remember that secured files will not appear on the output of a dir command issued from the EXEC shell because the IFS prevents secure files in a directory from being listed. Additionally, it is important to remember that the Cisco IOS image will not be visible in the output of the show flash command. Instead, use the show secure bootset command to verify archive existence. However, ROM monitor (ROMMON) mode does not have any such restriction and can be used to list and boot secured files.

In addition to the Cisco IOS resilient configuration feature, administrators can also leverage the IOS image verification. This feature automatically allows administrators to verify the integrity of Cisco IOS images, thus ensuring that the image is protected from corruption (accidental or otherwise), which can occur at any time during transit, starting from the moment the files are generated by Cisco until they reach the user.

This negates the need for administrators to validate manually the IOS image MD5 hash printed on the Cisco download website with one generated on their own server before verifying that an image has not been corrupted, because the MD5 hashes are the same.

To enable this feature, the file verify auto global configuration command must be configured on the router. Next, after issuing the file verify auto command, each image that is copied or reloaded (i.e. when the router reboots) will automatically be verified. This is illustrated in the following output on a router that has been configured to verify automatically the Cisco IOS image and is then reloaded (rebooted):

R2#config t

Enter configuration commands, one per line.  End with CNTL/Z.

R2(config)#file verify auto

R2(config)#end

R2#

R2#copy system:running-config nvram:startup-config

Destination filename [startup-config]?

Building configuration…

[OK]

R2#

R2#

R2#reload

Verifying file integrity of flash:/c2600-advsecurityk9-mz.124-15.T9.bin………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………..Done!

Embedded Hash   MD5 : 7F57E6DA1A57A0EC80AF4215F80967B8

Computed Hash   MD5 : 7F57E6DA1A57A0EC80AF4215F80967B8

CCO Hash        MD5 : ABCA61DDB615FB5722CEC3303B9A8DDC

Signature Verified

 

Proceed with reload? [confirm]

If the file verify auto configuration command has not been applied globally onto the router, it is still possible to verify the Cisco IOS image when copying it from its location or when the router is rebooted (reloaded). To verify the Cisco IOS image when copying it, the copy /verify command is used. It is important to keep in mind that the basic functionality and options of the copy /verify command still remain the same, as illustrated in the following output:

R2#copy /verify ?

/erase          Erase destination file system.

archive:        Copy from archive: file system

cns:            Copy from cns: file system

flash:          Copy from flash: file system

ftp:            Copy from ftp: file system

http:           Copy from http: file system

https:          Copy from https: file system

null:           Copy from null: file system

nvram:          Copy from nvram: file system

rcp:            Copy from rcp: file system

running-config  Copy from current system configuration

scp:            Copy from scp: file system

startup-config  Copy from startup configuration

system:         Copy from system: file system

tar:            Copy from tar: file system

tftp:           Copy from tftp: file system

tmpsys:         Copy from tmpsys: file system

xmodem:         Copy from xmodem: file system

ymodem:         Copy from ymodem: file system

To verify an image when the router boots (assuming the file verify auto command has not been used), the reload /verify command is used. As is the case with the copy /verify command, the reload /verify command still performs the same basic function and still presents the same options, as illustrated in the following output:

R2#reload /verify ?

LINE    Reason for reload

at      Reload at a specific time/date

cancel  Cancel pending reload

in      Reload after a time interval

<cr>

The final topic we are going to learn about in this section is the Secure Copy (SCP) feature that is available in Cisco IOS routers. SCP provides a secure and authenticated method for copying router configuration or image files. SCP relies on Secure Shell (SSH).

Before SCP can be used, the administrator must correctly configure SSH, Authentication, and Authorization on the router (both Authentication and Authorization are described in detail later in this guide). In addition to this, the router must have a Rivest, Shamir, and Adelman (RSA) key pair. These two requirements pertain to SSH configuration, which is a necessity due to the fact that SCP relies on SSH.

Because SSH and Authentication, Authorization, and Accounting (AAA) are described in detail later in this guide, the emphasis in this section is centered on the SCP feature. Therefore, do not worry if the SSH or AAA configuration presented here seems confusing at first glance, as it is provided simply for the sake of being thorough. You will learn about SSH and AAA theory and configuration in detail later in this guide.

The only SCP-related configuration command required in order to allow a router to support SCP server functionality is the ip scp server enable global configuration command. The other commands required for the SCP feature pertain to SSH and AAA configuration. In order to understand SCP, the following diagram will be used as an example, illustrating the configuration commands required to enable SCP server functionality on a Cisco IOS router:

Network Ready for SCP Configuration

Figure 2.1. Network Ready for SCP Configuration

Based on the network diagram illustrated above, R1 will be configured as an SCP server. In addition to this, R1 will also be configured as a TFTP server. The TFTP file that R1 will allow clients to download is named TEST, and this file will be stored on R1’s flash memory. Users wishing to download this file via must log in using the username SCPUSER with a password SCPPASSWORD. The configuration on R1 to perform this is implemented as follows:

NOTE: Do not focus on the SSH or AAA configuration. This is provided for the purposes of being thorough and is described later in this guide:

R1(config)#ip domain-name howtonetwork.net

R1(config)#crypto key generate rsa

The name for the keys will be: R1.howtonetwork.net

Choose the size of the key modulus in the range of 360 to 2048 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

a few minutes.

 

How many bits in the modulus [512]:

% Generating 512 bit RSA keys, keys will be non-exportable…[OK]

 

R1(config)#aaa new-model

R1(config)#aaa authentication login default group local

R1(config)#aaa authorization exec default local

R1(config)#username SCPUSER privilege 15 secret SCPPASSWORD

R1(config)#ip scp server enable

R1(config)#tftp-server flash:TEST

R1(config)#exit

R1#

Next, R2 can then be configured to copy the file named TEST from R1 using SCP. This is performed by using the copy scp command, as illustrated in the following output:

R2#copy scp: flash:

Address or name of remote host []? 172.16.1.1

Source username [R2]? SCPUSER

Source filename []? TEST

Destination filename [TEST]? TEST

Erase flash: before copying? [confirm]n

Password:

!

Verifying checksum…  OK (0x6C6)

2766 bytes copied in 9.295 secs (298 bytes/sec)

R2#

R2#show flash:

 

System flash directory:

File  Length   Name/status

1   19615064  c2600-advsecurityk9-mz.124-15.T9.bin

2   1038     home.shtml

3   2754     sdmconfig-26xx.cfg

4   112640   home.tar

5   1505280  common.tar

6   6389760  sdm.tar

7   931840   es.tar

  8   2766     TEST

[28567324 bytes used, 4462816 available, 33030140 total]

32768K bytes of processor board System flash (Read/Write)

Cisco IOS AutoSecure

The Cisco IOS AutoSecure feature eliminates the complexity of securing a router by creating a new CLI that automates the configuration of security features and disables certain features, which are typically enabled by default but could be exploited for security holes. AutoSecure provides the following mechanisms to enhance security access to the router:

  • Simplified Router Security Configuration
  • Enhanced Password Security
  • Roll-back and System Logging Message Support

Simplified Router Security Configuration

AutoSecure is valuable to customers without special Security Operations Applications because it quickly allows them to secure their network without thorough knowledge of all the Cisco IOS features and commands.

This feature eliminates the complexity of securing a router by creating a new CLI that automates the configuration of security features and disables certain features, which are typically enabled by default but could be exploited for security holes.

Enhanced Password Security

AutoSecure provides two mechanisms to enhance password security on the router. The first mechanism is the ability to configure a required minimum password length, which can eliminate common passwords, such as ‘cisco’, for example.

The second mechanism is the ability to generate Syslog messages after the number of unsuccessful attempts exceeds the configured threshold.

Roll-back and System Logging Message Support

AutoSecure also provides support for the roll-back of the AutoSecure configuration. Roll-back enables a router to revert back to its pre-AutoSecure configuration state if the AutoSecure configuration fails or does not work as expected.

The two main focuses of the AutoSecure feature are to secure the Management plane and the Forwarding plane. The Management plane is the logical path of all traffic related to the management of a router. The Management plane performs management functions for a network and is used to manage a device through its connection to the network. Some examples of protocols that are processed in the Management plane are Simple Network Management Protocol (SNMP), Telnet, HTTP, Secure HTTP (HTTPS), and SSH. These management protocols are used for monitoring and for CLI access.

The Forwarding plane refers to a router’s forwarding path involved in processing transit traffic or traffic that is destined to the router. The Forwarding plane constitutes the packet-forwarding, switching, and queuing components involved in the packet flow. Examples of features covered in Forwarding plane security are ACLs and Unicast Reverse Path Forwarding (uRPF).

Securing the Management Plane

Cisco IOS AutoSecure secures the Management plane by disabling certain global and interface services that can potentially be exploited for security attacks and, at the same time, enabling global services that help mitigate the threat of attacks. In addition to this, AutoSecure configures secure access and secure logging for the router. After enabling this feature, via the auto secure command, the following global services will be disabled on the router without prompting the user:

  • Finger—which can be used to collect information about the system before an attack. If enabled, the information can leave your device vulnerable to attacks. This is disabled by issuing the no service finger command.
  • PAD— which enables all packet assembler and disassembler (PAD) commands and connections between PAD devices and access servers. If enabled, it can leave your device vulnerable to attacks. This is disabled by issuing the no service pad command.
  • Small Servers— these can allow for TCP and User Datagram Protocol (UDP) diagnostic port attacks, where a sender transmits a volume of fake requests for UDP diagnostic services on the router, consuming all CPU resources. These are disabled by issuing the no service tcp-small-servers and the no service udp-small-servers commands.
  • BOOTP Server—BOOTP is an unsecure protocol that can be exploited for an attack. This feature is disabled by issuing the no ip bootp server command.
  • HTTP Server—without Secure HTTP (HTTPS) or authentication embedded in the HTTP server with an associated ACL, the HTTP server is unsecure and can be exploited for an attack. The HTTP server is disabled by issuing the no ip http server However, if you must enable the HTTP server, you will be prompted for authentication or an ACL.
  • Identification Service—this is an unsecure protocol, defined in RFC 1413, that allows one to query a TCP port for identification. An attacker can access private information about the user from the ID server. This is disabled by issuing the no ip identd command.
  • CDP— while CDP is generally a useful and desirable service, it is important to know that if a large number of Cisco Discovery Protocol (CDP) packets are sent to the router, the available memory of the router can be consumed, causing the router to crash. CDP is disabled by issuing the no cdp run command.
  • NTP—without authentication or access-control, Network Time Protocol (NTP) is unsecure and can be used by an attacker to send NTP packets to overload or crash the router. NTP is disabled by issuing the no ntp However, if you want to enable NTP, you must configure NTP authentication using MD5, as well as an ACL, to filter NTP sources. If NTP is enabled globally, disable it on all interfaces on which it is not needed.
  • Source Routing— this allows users to control (to some extent) the path a packet will take from source to destination. This may be used by attackers to bypass firewalls or other mechanisms and is therefore disabled by using the no ip source-route command.

In addition to the global services that are disabled by AutoSecure, the following interface services are also disabled by the AutoSecure feature:

  • ICMP redirects— these allow for hosts to be redirected by other gateways with better paths to the intended destination but do not add a useful functionality to a correctly configured network. These are disabled on interfaces via the no ip redirects command, as this feature could be used by attackers to exploit security holes.
  • ICMP unreachables—ICMP unreachables are a known cause for some ICMP-based DoS attacks and are sent when a service or port is unreachable. These are disabled on interfaces via the no ip unreachables command.
  • ICMP mask reply messages— these messages can give an attacker the subnet mask for a particular subnet in the internetwork and are therefore disabled via the no ip mask-reply interface configuration command.
  • Proxy-Arp— this allows a router to respond on behalf of another device. Proxy-Arp requests are a known cause for DoS attacks because the available bandwidth and resources of the router can be consumed in an attempt to respond to the repeated requests that are sent by an attacker. Proxy-ARP is disabled via the no ip proxy-arp command.
  • Directed broadcast— this feature allows routers to forward directed broadcasts, which can potentially be used for DoS smurf attacks. This feature is disabled by issuing the no ip directed-broadcast command.
  • Maintenance Operations Protocol (MOP) service—MOP is used for utility services such as uploading and downloading system software, remote testing, and problem diagnosis. Because of this, it is possible to be used for malicious activities by an attacker. MOP is disabled by issuing the no mop enabled command.

Finally, AutoSecure enables several global services, further secures the router, and enables logging and. AutoSecure performs the following:

  • Enables the service password-encryption command, which prevents passwords from being visible in the configuration.
  • Enables the service tcp-keepalives-in and service tcp-keepalives-out commands, which ensure that abnormally terminated TCP sessions are removed.
  • If a text banner does not exist, users will be prompted to add a banner.
  • The login and secret commands are configured on the CON, AUX, VTY, and TTY lines. The transport input [telnet|ssh] and transport output [telnet|ssh] commands are configured on all of these lines. Also, the exec-timeout 10 command is configured on the CON and AUX.
  • When the image on the device is a crypto image, AutoSecure enables SSH and SCP for access and file transfer to and from the router. The ip ssh timeout [seconds] and ip ssh authentication-retries [number] options for SSH are configured to a minimum number. Telnet and FTP are not affected by this operation and remain operational.
  • If the AutoSecure user specifies that his or her device does not use Simple Network Management Protocol (SNMP) in interactive mode, the user is asked whether to disable SNMP, regardless of the values of the community strings, which act like passwords to regulate access to the agent on the router; however, in non-interact mode, SNMP will be disabled if the community string is ‘public’ or ‘private.’
  • AutoSecure enables sequence numbers and time stamps for all debug and log messages via the service sequence-numbers and service timestamps [options] This is useful when auditing logging messages.

Securing the Forwarding Plane

Unlike the Management plane, there are considerably fewer recommendations that can be implemented to secure the Forwarding plane, as follows:

  • Cisco Express Forwarding
  • TCP Intercept
  • Unicast Reverse Path Forwarding
  • Context-Based Access Control

Cisco Express Forwarding (CEF) is used to increase packet switching speed, reducing the overhead and delays introduced by other routing techniques, and to increase overall router performance. While going into detail on CEF is beyond the scope of the IINS course requirements, it is important to know that routers configured for CEF perform better under SYN attacks than routers using the traditional cache. CEF is enabled by issuing the ip cef command.

The TCP Intercept feature implements software to protect TCP servers from TCP SYN flooding attacks, which are a type of DoS attack. This feature helps prevent SYN flooding attacks by intercepting and validating TCP connection requests. As is the case with CEF, going into detail on the TCP Intercept feature is beyond the scope of the IINS course requirements. However, if the TCP Intercept feature is available, it can be configured on the router for connection timeout. TCP Intercept is enabled by using the ip tcp intercept [options] command.

Unicast Reverse Path Forwarding (uRPF) was described in Chapter 1. The uRPF feature helps to mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address. This feature is enabled by the ip verify unicast reverse-path [options] interface configuration command.

Context-Based Access Control (CBAC) is an integral part of the Cisco IOS Firewall. CBAC intelligently filters TCP and UDP packets based on Application Layer protocol session information. This feature, which is described in detail later in this guide, is enabled by using the ip inspect [options] command.

Enabling and Using AutoSecure

Now that we have an understanding of the AutoSecure feature, the next logical step is how to use or implement this feature. AutoSecure is enabled by using the auto secure [options] privileged EXEC command. The options available with this command are as follows:

R2#auto secure ?

firewall     AutoSecure Firewall

forwarding   Secure Forwarding Plane

full         Interactive full session of AutoSecure

login        AutoSecure Login

management   Secure Management Plane

no-interact  Non-interactive session of AutoSecure

ntp          AutoSecure NTP

ssh          AutoSecure SSH

<cr>

Because this command provides numerous options, it is important to discuss the options that pertain to the IINS course requirements. These options are firewall, forwarding, management, and no-interact.

The firewall option is used to enable CBAC, which is a feature of the overall Cisco IOS Firewall solution. The forwarding option secures only the router Forwarding plane. The management option is used to secure only the Management plane. And, finally, if the no-interact option is selected, the AutoSecure feature does not prompt the user for any interactive configurations. However, if no options are specified, the user will be prompted for all interactive options, which is the equivalent of the auto secure full command.

The following illustration demonstrates how to enable the AutoSecure feature to secure an Internet-facing router by using the auto secure firewall command:

Enabling AutoSecure

Figure 2.2. Enabling AutoSecure

The steps to perform this configuration are illustrated in the following output:

R2#auto secure firewall

— AutoSecure Configuration —

 

*** AutoSecure configuration enhances the security of

the router, but it will not make it absolutely resistant

to all security attacks ***

 

AutoSecure will modify the configuration of your device.

All configuration changes will be shown. For a detailed

explanation of how the configuration changes enhance security

and any possible side effects, please refer to Cisco.com for

AutoSecure documentation.

At any prompt you may enter ‘?' for help.

Use ctrl-c to abort this session at any prompt.

 

Gathering information about the router for AutoSecure

 

Is this router connected to internet? [no]: yes

Enter the number of interfaces facing the internet [1]: 1

 

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            172.16.1.2      YES NVRAM  up                    up

Serial0/0                  150.1.1.2       YES manual up                    up

Enter the interface name that is facing the internet: Serial0/0

 

Configure CBAC Firewall feature? [yes/no]: yes

 

This is the configuration generated:

 

ip inspect audit-trail

ip inspect dns-timeout 7

ip inspect tcp idle-time 14400

ip inspect udp idle-time 1800

ip inspect name autosec_inspect cuseeme timeout 3600

ip inspect name autosec_inspect ftp timeout 3600

ip inspect name autosec_inspect http timeout 3600

ip inspect name autosec_inspect rcmd timeout 3600

ip inspect name autosec_inspect realaudio timeout 3600

ip inspect name autosec_inspect smtp timeout 3600

ip inspect name autosec_inspect tftp timeout 30

ip inspect name autosec_inspect udp timeout 15

ip inspect name autosec_inspect tcp timeout 3600

ip access-list extended autosec_firewall_acl

permit udp any any eq bootpc

deny ip any any

interface Serial0/0

ip inspect autosec_inspect out

ip access-group autosec_firewall_acl in

!

end

 

 

Apply this configuration to running-config? [yes]: yes

 

Applying the config generated to running-config

 

R2#

R2#

Once the configuration has been applied to the running-config, do not forget to save it to NVRAM (startup-config); otherwise, all changes and implementations will be lost if the router is rebooted or reloaded. The current configuration can be saved to NVRAM using either the copy running-config startup-config command or the copy system:running-config nvram:startup-config command.

The Cisco SDM Security Audit Feature

Cisco SDM provides an intuitive router security audit feature with one-step security audit capability that validates router configurations against a list of common security vulnerabilities and Cisco-recommended settings and provides a summary of recommended best practices.

The audit report highlights the potential security problems identified in the router configuration and can generate corresponding configurations to correct the shortfalls. The SDM Security Audit feature operates in one of two modes—the Security Audit wizard, which lets you choose which potential security-related configuration changes to implement on your router, and One-Step Lockdown, which automatically makes all recommended security-related configuration changes. This section focuses exclusively on the Security Audit wizard; the One-Step Lockdown mode is described in the next section.

To begin the Cisco SDM Security Audit feature, select Security Audit in the left frame of the configuration page, as illustrated by the arrow in the following screenshot:

Select Security Audit

Figure 2.3. Select Security Audit

On the following screen, click on the Perform security audit button, as illustrated by the arrow in the following screenshot:

Perform Security Audit

Figure 2.4. Perform Security Audit

This action launches the Security audit wizard. The following page provides an overview of the actions that will be performed via the security audit. Click on Next to proceed:

Security Audit Wizard

Figure 2.5. Security Audit Wizard

The previous action brings you to the Security audit interface configuration page. Depending on the interfaces on your router, you need to select an outside interface (i.e. one that is connected to an untrusted network, such as the Internet) and an inside interface (i.e. one that is connected to a trusted network, such as the corporate LAN).

The router used in this example has two interfaces: Serial0/0 (which is connected to the Internet) and FastEthernet0/0 (which is connected to the trusted LAN); therefore, Serial0/0 is marked as untrusted (outside), while FastEthernet0/0 is marked as trusted (inside). Once your selection has been made, click on Next:

Designate Inside and Outside Interfaces

Figure 2.6. Designate Inside and Outside Interfaces

Once you click on Next, the Security Audit is performed, and you will be brought to the Security audit screen. A screen showing the progress of this action appears, listing all of the configuration options being tested for and whether the current router configuration passes those tests.

You can use the scroll bar on the right to scroll down and look at the status of the entire report. If you want to save this report to a file for later viewing and consideration, simply click the Save Report button illustrated in the following screenshot:

Security Audit is Performed

Figure 2.7. Security Audit is Performed

However, if you want to implement the recommendations of the Security Audit, simply click on the Close button. This will bring you to the following screen:

Options to Fix Issues

Figure 2.8. Options to Fix Issues

As illustrated in the screenshot above, an administrator can select the Fix All button to fix all issues identified in the Security Audit or individually select the features he or she would like fixed or implemented by simply checking the Fix it checkboxes on the right-hand side.

In addition to fixing implementing issues identified in the Security Audit, SDM is also capable of undoing changes identified in the Security Audit. If the Select an option: drop-down menu is clicked, administrators have the option to undo previously implemented security changes:

Changes Can Be Undone

Figure 2.9. Changes Can Be Undone

As is the case with the Fix the Security problems options, administrators can choose to undo all configurations by clicking on the Undo All button or they can individually select which security configurations to undo by checking the Undo check boxes on the right-hand side.

Depending on the option selected and the boxes checked for that option, the next step is to click on the Next button. In our example, only a few select services have been selected to be fixed, as illustrated in the following screenshot:

Click ‘Next’ to Confirm Changes

Figure 2.10. Click ‘Next’ to Confirm Changes

After clicking Next, SDM prints a summary of the changes the administrator specified:

Click ‘Finish’ to Progress

Figure 2.11. Click ‘Finish’ to Progress

The next step is to click on the Finish button. Once clicked, the SDM prepares the commands that it will deliver to the router and implements them. The final screen provides a summary of the number of commands delivered to the router. To complete the implementation, click on the OK button, as illustrated in the following screenshot:

Commands Delivered to Router

Figure 2.12. Commands Delivered to Router

An often forgotten step is saving the configuration to NVRAM. It is important that you do not forget this step; otherwise, all applied configuration will be lost if the router is reloaded. To save the running configuration to NVRAM using SDM, simply click on the Save button illustrated by the arrow in the following screenshot, and then click on the Yes button to copy the running-config to the startup-config:

Copy Run Start

Figure 2.13. Copy Run Start

The Cisco SDM One-Step Lockdown Feature

In addition to the Security Audit feature, Cisco SDM can also perform a one-step lockdown function to configure the router for recommended best practices security configuration. The One-Step Lockdown feature performs numerous tasks, which are basically the same tasks performed by the Cisco IOS AutoSecure feature via the auto secure full command.

To enable the One-Step Lockdown feature, click on the One-step lockdown button on the Security Audit page, right below the Perform security audit section, as illustrated by the arrow in the following screenshot:

One Step Lockdown

Figure 2.14. One Step Lockdown

Cisco SDM will then bring up a warning message. To proceed, simply click on Yes:

Warning Message Displayed

Figure 2.15. Warning Message Displayed

Once you have clicked on Yes, SDM prepares the commands that it will deliver to the router and the following screen appears, presenting a summary of the recommended actions. To allow SDM to proceed, and implement these settings on the router, click on the Deliver button:

Commands Delivered to Router

Figure 2.16. Commands Delivered to Router

Once the configuration has been delivered to the router, i.e. the router has been configured by SDM, do not forget to save the configuration to NVRAM; otherwise, all changes will be lost in the event that the router is rebooted. The router is locked down and the SDM one-step lockdown process is complete. As you can see, it is a very straightforward and easy process.

Chapter Summary

The following section is a summary of the major points you should be aware of in this chapter:

Securing administrative access to IOS routers

  • The Cisco IOS CLI is divided into different command modes, all of which are unique.
  • The standard order in which a user would access the modes would be:
  1. User EXEC mode
  2. Privileged EXEC mode (enabled mode)
  3. Global configuration mode
  4. Specific configuration modes
  5. Configuration submodes
  6. Configuration sub-submodes
  • The enable [privilege level] command is used to move to privileged EXEC mode.
  • Privilege levels range from 1 to 15, with 1 being the lowest and 15 being the highest.
  • It is not recommend using the enable password command due to the weak hash algorithm.
  • The enable password command stores the password in plain text format.
  • The service password-encryption command hashes the plain enable and line passwords.
  • The enable secret command provides an MD5 has and should be used to set passwords.
  • All command privilege levels can be adjusted by using the privilege
  • The security passwords min-length command specifies the minimum password lengths.

Usernames, user passwords and privilege levels

  • Cisco IOS devices can then to be configured so that local and remote sessions to the router are granted access based on configured username and password pairs.
  • There are two types of passwords that were associated with usernames:
  1. Type 0, a clear text password visible to any user who has access to privileged mode.
  2. Type 7, which has a password encrypted by the service password-encryption command
  • In Cisco IOS Releases 12.0(18)S, 12.2(8)T, and later, the secret keyword for the username command allows you to configure MD5 encryption for user passwords.
  • In order to allow terminal lines to authenticate users based on configured usernames, the login local configuration command is required under the terminal lines.
  • The username [name] secret [password] autocommand [command] command can also be used to further restrict users by immediately executing a specified command for a particular user and then logging the user off automatically.

Cisco IOS Login Block

  • The Cisco IOS Login Block feature (a part of the Cisco IOS Login Enhancements feature set), allows administrators to enhance the security of a router by configuring options to automatically block login attempts when a possible DoS or password attack is detected.
  • The login block and login delay options introduced by this feature can be configured for Telnet, SSH or HTTP connections.
  • This feature provides enhanced security over the security authentication failure rate <threshold-rate> log functionality.

Cisco IOS Role-based Command Line Interface

  • The Cisco IOS role-based CLI access feature allows administrator to define views, which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands.
  • Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information, i.e. a view can define what commands are accepted and what configuration information is visible.
  • In order to configure the role-based CLI access feature, two prerequisites must be met:
  1. First, AAA must be enabled on the router via the aaa new-model
  2. Second, the system must be in root view. This is done via the enable view
  • All views MUST have a password (secret) configured, otherwise they will not be enabled.
  • In addition to basic (normal) views, it is also possible to configure a superview.
  • A superview consists of one or more already configured CLI views
  • A CLI view can be shared among multiple superviews and has the following characteristics:
  • A CLI view can be shared among multiple superviews.
  • Commands cannot be configured for a superview.
  • Superview users can access all commands for any CLI views that are part of the superview.
  • Each superview has a password that is used to switch between superviews.
  • If a superview is deleted, all CLI views associated with that superview will not be deleted.

Securing Cisco IOS router files and images

  • The Cisco IOS resilient configuration feature enables a router to secure and maintain a working copy of the running image and configuration so that those files can withstand malicious attempts to erase the contents of persistent storage (NVRAM and flash).
  • The resilient configuration feature has the following characteristics:
  • The copy of the running configuration that was in the router when the feature was first enabled is used as the configuration file in the primary bootset.
  • The feature secures the smallest working set of files to preserve persistent storage space. No extra space is required to secure the primary Cisco IOS image file.
  • The feature automatically detects Cisco IOS image or configuration version mismatch.
  • Only local storage (i.e. on the router itself) is used for securing files, eliminating scalability maintenance challenges from storing multiple images and configurations on TFTP servers.
  • The feature can be disabled only through a console session, which means that the administrator must have physical access to the router to perform this; enhancing security.
  • In addition to the Cisco IOS resilient configuration feature, administrators can also leverage the IOS image verification.
  • IOS image verification allows administrators to automatically verify the integrity of Cisco IOS images, thus ensuring that the image is protected from corruption.
  • SCP provides a secure and authenticated method for copying configuration or image files.
  • SCP relies on Secure Shell (SSH) and Authentication, Authorization and Accounting (AAA).

Cisco IOS AutoSecure

  • AutoSecure provides the following mechanisms to enhance security access to the router:
  • Simplified Router Security Configuration
  • Enhanced Password Security
  • Roll-Back and System Logging Message Support
  • Cisco IOS AutoSecure secures the Management and Forwarding planes by disabling certain global and interface services that can be potentially exploited for security attacks and, at the same time, enabling global services that help mitigate the threat of attacks.

The Cisco SDM Security Audit Feature

  • SDM provides an intuitive router security audit feature with one-step security audit capability that validates router configurations against a list of common security vulnerabilities and Cisco recommended settings, and provides a summary of recommended best practices.
  • The SDM Security Audit feature operates in one of two modes—the Security Audit wizard, which lets you choose which potential security-related configuration changes to implement on your router, and One-Step Lockdown, which automatically makes all recommended security-related configuration changes.
  • The audit report highlights the potential security problems identified in the router configuration and can generate corresponding configurations to correct the shortfalls.
  • The Security Audit Feature is launched from the Security page as illustrated below:

2 17

The Cisco SDM One-Step Lockdown Feature

  • Cisco SDM can also perform a one-step lockdown function to configure the router for recommended best practices security configuration.
  • The one-step Lockdown feature performs numerous tasks, which are basically the same tasks performed by the Cisco IOS AutoSecure feature via the auto secure full
  • One-step Lockdown is launched from the Security page as illustrated below:

2 18

Commands Used in this Chapter

The following section is a summary of the commands used in this chapter:

Command Description
enable [privilege level] Used to navigate to privileged EXEC mode
enable password level [level] [password] Used to set the enable password (not safe)
enable secret level [level] [password] Used to set the enable secret (recommended)
service password-encryption Encrypts the enable and line passwords
privilege [mode] [all|level] [level] [command] Used to specify default privilege levels for commands (e.g. EXEC or Config commands)
password Used to specify terminal line passwords
exec-timeout Sets the interval that the EXEC command interpreter waits until user input is detected on terminal lines (e.g. VTY and CON)
lockable Allows terminal lines to be locked/unlocked
security passwords min-length <length> Sets the minimum password length for user, enable, and terminal line passwords
security authentication failure rate <threshold-rate> log used to configure the number of allowable unsuccessful login attempts
logging on Enables logging
logging host <address> Enables logging to a remote Syslog server
login block-for [seconds] attempts [tries] within [seconds] Used to configure the router for login parameters and specifies the amount of time the router should remain in the quiet period if the administrator specified number of failed attempts is exceeded within the specific period of time
login quiet-mode access-class [ACL] Specifies an ACL that is to be applied to the router when it switches to quiet mode to allow access to the subnets specified in the ACL
login delay [seconds] Used to configures a delay between successive login attempts
login on-failure log every [number] Used to generate Syslog messages for failed login attempts
login on-success log every [number] Used to generate Syslog messages for successful login attempts
logging buffered [severity] Enables logging to the local router buffer
logging trap [severity]

 

Specifies the severity of logs to send to a remote Syslog server
show login [failures] Used to view Login Block information
show logging Used to view logging information
aaa new-model Enables AAA on the router
enable view [name] Used to access the root (or any other) view
show privilege Used to view the current user privilege level
parser view [name] Used to configure a view
commands [mode] (include | include-exclusive | exclude) [all] [interface (name) | command] Used to specify the commands that are included, or excluded from the view being configured
view Used to add CLI views to a superview
secure boot-image Used to enable Cisco IOS image resilience
secure boot-config Used to store a secure copy of the primary bootset in persistent storage.
dir Used to view directories (e.g. in Flash)
show secure bootset Used to verify archive existence
file verify auto Enables IOS image validation
copy system:running-config nvram:startup-config Saves the running-config (RAM) to the startup-config (NVRAM)
Reload [options] Reloads the device (i.e. router)
copy [options] Used to copy files to and from the router
ip scp server enable Enables SCP server functionality
ip domain-name [name] Configures a Domain for the router
crypto key generate rsa Generates RSA key pair
aaa authentication [options] Configures AAA Authentication
aaa authorization [options] Configures AAA Authorization
tftp-server [options] Enables TFTP server functionality
copy scp Used to perform SCP copying
no service finger Disables Finger
no service pad Disables PAD
no service tcp-small-servers Disables TCP small servers
no service udp-small-servers Disables UDP small servers
no ip bootp server Disables BOOTP server
no ip http server Disables HTTP server
no ip identd Disables the Identification service
no cdp run Disables CDP
no ntp Disables NTP
no ip source-route Disables source-routing
no ip redirects Disables ICMP redirects
no ip unreachables Disables ICMP unreachables
no ip mask-reply Disables ICMP mask reply messages
no ip proxy-arp Disables Proxy-ARP
no ip directed-broadcast Disables directed Broadcast forwarding
no mop enabled Disables MOP
service tcp-keepalives-in Enables keepalives for inbound TCP sessions
service tcp-keepalives-out Enables keepalives for outbound TCP sessions
transport input [telnet|ssh] Enables Telnet or SSH for terminal lines
ip ssh timeout [seconds] Specifies the idle timeout for SSH sessions
ip ssh authentication-retries [number] Specifies the number of times SSH users are allowed to attempt to authenticate successfully
service sequence-numbers Enables sequence numbers for logs and debugs
service timestamps [options] Enables timestamps for logs and debugs
ip cef Enables CEF
ip tcp intercept [options] Enables TCP intercept and sets desired options
ip verify unicast reverse-path [options] Enables uRPF
ip inspect [options] Enables CBAC
auto secure [options] Enables AutoSecure functionality

 

 

 

 

 

content-filler

ABOUT US

This site has been created to help you make the best out of your IT career. Whether you are trying to get your first job, get promoted, or start your own IT business, we have a course for you.

MOST POPULAR

  • Account
  • Forum
  • Live Cisco Rack Training
  • Members Training
  • Member Bonuses
  • My Courses

Members

  • Account
  • Forum
  • Live Cisco Rack Training
  • Members Training
  • Member Bonuses
  • My Courses

Newsletter

Subscription Form

Secure Site

website security secure

Copyright Reality Press Ltd . / Paul Browning

Insert/edit link

Enter the destination URL

Or link to existing content

    No search term specified. Showing recent items. Search or use up and down arrow keys to select an item.